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Abstract 

Some Rabin signature schemes may be exposed to forgery; several variants are here described 
to counter this vulnerability. Blind Rabin signatures are also discussed. 
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1 Introduction 

The public-key cryptosystems based on the Rabin scheme have in principle two main advantages 
with respect to some other alternative public-key schemes, namely, they are provably as hard to 
break as factoring, and they should involve a smaller computational burden, even though practi- 
cal implementations require some adjustments that diminish the theoretical advantages III 13 HI. 
The Rabin scheme can be used in different applications, e.g. to exchange secret messages, and to 
provide electronic signatures. In [5J, the Rabin scheme was revisited mainly referring to the ex- 
change of secret messages with respect to the problem of the unique identification of the root at the 
decryption stage. Further a deterministic way was presented to compute the padding factor in the 
classical Rabin signature (cf. |9|). However, this signature is plainly vulnerable to forgery attacks, 
a weakness that is absent in the Rabin- Williams signature (cf. [6, 12J). A blind Rabin- Williams 
signature was proposed in [H, however some weaknesses of this signature were shown in [3]. 
In this paper, we propose some variants of Rabin signatures and blind Rabin signatures, and dis- 
cuss their resistances to forgery. 

2 Preliminaries 



All operations are hereafter done in Z n, the residue ring modulo N = pq, a product of two primes 
p and q known only by the signer. A vaUd signature of a message m £ consists of an {i + 1)- 
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tuple of elements [m, /i, /2, • • • , ft] of Z^, together with a verifying function from into Z^, 
k > 1, such that d(m, fi,f2,...,fe) = 0. More generally, the message m may belong to some Zm, 
with M > N, but the verifying function uses H{m) as input instead of m, where H{.) is a hash 
fimction with values in Z^r. 

The classic Rabin signature of a message m is a triple (m, [/, S*), where f/ is a padding factor 
(found either randomly [lOJ or deterministically as in [5J) such that the equation = mil is 
solvable, and S is one of its roots. Verification is performed by comparing mil with S"^. An easy 
forgery attack computes or mil, chooses any message m', computes U' = S'^m'^^, and forges 
the signature as (m', U', S) without knowing the factorization of N. In the original proposal lUTI , 
a hash function H{.) is used instead of m, and S is a solution of = H{mU), but this does not 
help against the above forgery attack. 

The Rabin-Williams signature (cf. IH |12l), which is limited to pair of primes, where one 
is congruent to 3 and the other to 7 modulo 8, avoids the forgery vulnerability. The signature 
is a four-tuple [m,e, /, 5"], where e G {1,-1} and / G {1,2} are chosen to make the equation 
efS^ = H{m) solvable, where H{.) is a convenient hash function. The non-forgeability is based 
on the limited set of multipliers e and /. However, the Rabin-Williams scheme requires the use of 
two primes respectively congruent to 3 and 7 modulo 8, while the classic Rabin signature works 
with every pair of primes. A possible Rabin signature that avoids forgery and works for every 
pair of primes was devised in [81. 

Blind signature schemes are cryptographic primitives, which are useful in protocols that 
guarantee the anonymity of the parties. They are playing an important role for e-commerce, e- 
money and e-voting procedures. In fact they were introduced by Chaum [2] for privacy-related 
protocols where the signer and message author are different parties. The blind signature is a form 
of digital signature in which a message is disguised before it is signed, while the resulting sig- 
nature can be publicly verified against the original message in the manner of a regular digital 
signature. Formally, a message m is disguised by means of a function d and then submitted to the 
signer. The signed message [d{m), fi, f2, ■ ■ ■ , fe] is then made public by the message author in the 
form of a valid signed message as [m, /(, /g, . . . , Z^]. 

In our formal discussion, we need a precise notion of forgeability, and we will adopt the 
following definitions: 

Definition 1 A signature of a message m, of the form [m, /i, /2, . . . , fe], is said to be strongly forgeable if 
it is feasible for an outsider to derive from it a valid signature [m', /{, . . . , f'^for a given message m'. 

Definition 2 A signature of a message m, of the form [m, /i, /2, . . . , fe], is said to be weakly forgeable if it 
is feasible for an outsider to derive from it a valid signature [m', /{, . . . , fi]for some message m' . 

Definition 3 A signature of a message m, of the form [m, /i, /2, . . . , fe\, is said to be weakly non-forgeable 
if it is not feasible for an outsider to derive from it a valid signature [m' , f[, f2, ■ ■ ■ , f'e] fof a given message 
m' . 

Definition 4 A signature of a message m, of the form [m, fi, f2, ■ ■ ■ , fe], is said to be strongly non- 
forgeable if it is not feasible for an outsider to derive from it a valid signature [m', /{, . . . , f^] for some 
message m'. 
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In other terms, a Rabin signature [m, fi, f2, ■ ■ ■ , fe] is strongly non-forgeable if we cannot derive, 
without knowing the factorization of N, a whatsoever valid signature [m, /i, /2, . . . , /^]. 
Instead, a Rabin signature [m, fi, f2, . . . , fe] is weakly non-forgeable if we cannot derive, without 
knowing the factorization of A^, a valid signature for a well specified message m'. 

For example, the Rabin- Williams signature [m, e, /, S] is weakly forgeable if the hash function 
is the identity function, i.e. H{u) = u, because we can derive a valid signature as [r^m, e, /, rS] for 
every factor r. But, depending on the hash function, this signature may be strongly non-forgeable. 
In the same way the RSA signature [m, m^], where D is the secret counterpart of the public key 
E, is weakly forgeable because we can obtain a valid signature as [r^m, rm^], for every factor r. 

These examples are instances of the following general result. 

Definition 5 A signature of a message m is said to be pseudo-homogeneous if there are nonnegative inte- 
gers no, ■ ■ ■ ,ni,ti, . . . ,tk such that each component of the verifying function o satisfies 

t)^(A"°m,A"Vi,A"V2,---,A"V^) = A*'t)*(m,/i,/2,...,/£) VAgZ^, . 

In particular ifv is homogeneous of degree t, the signature is pseudo-homogeneous with uq = . . . = ni = 1. 

Proposition 1 A pseudo-homogeneous signature is weakly forgeable. 

Proof. By definition of pseudo-homogeneity, given a valid signature [m, fi,f2,...,fe] (therefore 
v{m,fi,f2,...Je) = 0), the signature [A^^m, A"Vi, A'^V2, • • • , A"^/^)] is valid for any A G Z^,. 

□ 

In the case of blind signatures, we must be able to derive a valid signature [m, fi,f2:---:fe] 
from the signature of the blind message [5 (m) , /i , /2 , . . . , Z^] ; as a direct consequence of the above 
definitions this entails the following 

Proposition 2 A blind signer cannot employ a strongly non-forgeable signature scheme, although the 
signature of the unblinded message may be strongly non-forgeable. 

Proof. The first part of the statement is a simple consequence of the fact that strong non- 
forgeability implies by definition that it is not possible to derive any other valid signature, which 
on the other hand must occur as a purpose of the blinding technique. The second part is proved 
by an actual instance. Let m be the message that we want to be blindly signed, then the mes- 
sage d{H{m)) is submitted to the signer, who returns [d{H{m)), /i, /2, . . . , fi]. This is unblinded 
as [H{m),f[, i'2, ■ ■ ■ 1 f'i\r but it will be used as [m, f[, ■ ■ ■ , fg] with the assumption that the veri- 
fication operations should consider the hashed message. If H{.) is a convenient hashed function, 
this signature can be strongly non-forgeable, as we see later. 

□ 
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3 Schemes 



In this section we propose a general scheme that avoids forgery, and includes the Rabin- Williams 
signature as a special case. Further, in the case of Blum primes, we present some other forgery re- 
sistant schemes that are based on different principles. In the next section, the use of these schemes 
to realize blind signatures will be analyzed with respect to forgery. Their resistance to the so 
called RSA blinding attack will also be considered. In view of Proposition |2l both strongly and 
weakly non-forgeable signatures may be of interest for different purposes. 



3.1 A general scheme 

The following is a general scheme that works for every pair of primes. 

In a set il can be defined with the property that, for any given z G Z^, there exists a 
multiplier u € il which makes the equation = uz solvable. In fact, it is sufficient to find 4 
numbers 01,02,61,62, such that 

^ = 1, -1, (^] = 1, and (J^) = -1, 



and form the set 

il = {rfiaiTpi + 6iV'2), ^-2(01^1 + 62^2), r^ia2tpi + 6iV'2), r|(a2V'i + b2'ip2)} , 

where ri,r2,r^, and are four random different numbers in (necessary to prevent an easy 
factorization of A^), and V'l and V'2 are integers determined by the extended Euclidean algorithm 
that satisfy 

■01 + ^"2 = 1 mod A'', ipi = mod g, "02 = mod p. 
Given the properties above, and writing z as ziipi + Z21P2 using the Chinese Remainder Theorem, 



one can easily find the suitable padding factor u € il such that the two conditions 
= 1 are contemporarily satisfied. 



For a Rabin-type signature the public key of each user can then consist of the triple [A^,il, H{.)], 
where H{.) is a suitable hash function, possibly the identity fimction. 
The signature process is the following 

Public-key: A^, il = {ui , U2 , U3 , U4 }, and H{.). 

Signed message: [m,u, S], where u is the padding factor in il which makes the equation = 
H{m)u solvable, and S is any solution of this equation. 

Verification: Check that u belongs to il; compute H{m)u and S"^; the signature is valid if and only 
if these two numbers are equal. 

The verification cost is one square and one product in Zat, plus the evaluation cost of the hash 
function. 

The main advantages of this signature with respect to forgery are shown in the following theorem. 
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Theorem 1 The signature [m,u,S] is weakly non-forgeable. It is weakly forgeable if the hash function 
H{.) is the identity function H{z) = z, while it is strongly non-forgeable if H{.) is a convenient hash 
function, in particular, if H{z) = z{z + 1) (in this case the hash function is as hard to invert as factoring, 
and no hardness of other problems is used). 

Proof. In the relation S"^ = H{m)u the number of available padding factors is restricted to 4, thus 
for a given S and correspondingly S"^ only 4 values for H{m) are allowed. The small number of 
possible padding factors is what makes the signature resistant to forgery. Precisely this implies 
that the signature is at least weakly non-forgeable, since it is not possible to choose any m' and 
derive a valid signature on it. Furthermore, the random factors r , introduced in building il prevent 
a factorization of A^. This can be checked, at the creation of the public key, by verifying that the Uj 
are not among the square roots of unity and that the differences — Uj, with i ^ j, have no factors 
in common with N. 

If H{z) = z, the signature [m, u, S] is pseudo-homogeneous and weakly forgeable as [r^m, u, rS] 
for any r € Z^, since we have 

r^mu = r^5^ ^ mu = S'^ , 

which is true by definition. 

If H{.) is a convenient hash function, finding m' from a new S' is infeasible. The special case 
H{z) = z{z + 1) is chosen as to rely on the hardness of factoring and such that it does not make 
the signature pseudo-homogeneous. 

□ 



3.2 Blum primes 

If the Rabin scheme is restricted to Blum primes, then it is possible to avoid the use of the set of 
multipliers il in at least two ways. 

In Variant I, the cost to pay is a further parameter in the signature, which consists of a four- 
tuple [m,U,S,T]. 

Let H{m) be written in the form H{m) = miipi + m24'2, with mi = H{m) mod p and 
1712 = H{m) mod q. The padding factor U can be chosen deterministically as in |5| as f7 = 

equation 



R [/iV'i + f2ip2], where i? a is random number, /i = ( ) and /2 = ( ) . In fact, the 



„2 



H{m)U = (7711-01 + "1-2-02) (/iV'i + /2V'2) = mi/iV'i + m2/202 



is always solvable modulo N, because mi/i and 777,2/2 are clearly quadratic residues modulo p and 
modulo q, respectively, since ^ ^ = (^~^^~^ ' = (^^^^ ' ^° ^'^^^ 

"^1/1 ^_/^"^l^/^/l^^]^ ( "^2/2 \ _ f ^2 



pi \ p 



Then S is chosen among the roots of the equation = H{m)U with the further constraint 
that the equation = {U + 1)5 is solvable. This is always possible because in the case of Blum 
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primes the four roots of a quadratic equation form a complete set of padding factors as above. 
Lastly, T is a root of y"^ = {U + l)S. 

In Variant II, the padding factor is a square root of imity, but it is not a public element of the 
signature. In this case a triple will be sufficient to define a signature that is resistant to forgery. 



Variant I 

The signature process is the following: 
Public-key: [N,H{.)] 

Signed message: [m, U, S, T], where U isa padding factor which makes the equation = H{m)U 
solvable, and S* is a root of this equation such that the equation j/^ = ([/ + 1)5' is solvable, 
then T is any root of this equation. 

Verification: Check whether T"^ = {U + 1)5, then check whether S*^ = H{m)U; the signature is 
valid if and only if both equalities hold. 

The verification cost is two squares and two products in Zat, plus the evaluation of a hash function. 
Note that, if U is chosen deterministically as above, it is possible to make different signatures of 
the same message. Clearly, U should not be ipi — V'2 or —ipi + V'2/ because these square roots of 
unity would unveil the factorization of N; in fact adding 1 to either of them gives a multiple of p 
or a multiple of q. Lastly, the signature is forgery resistant as proved in the following theorem. 

Theorem 2 The signature [m,U,S,T] is weakly non-forgeable. It is weakly forgeable if H{z) = z and 
strongly non-forgeable if H{.) isa convenient hash function, in particular, if H{z) = z{z + \). 

Proof. A forged signature for a given message m' has to involve a new U' and possibly a new S'. 
In either case finding the new T' , root of a second degree equation, requires the knowledge of the 
factorization of . Therefore the signature is weakly non-forgeable. 

If H{z) = z the signature is weakly forgeable, by taking a new T', finding suitable S' and U' 
and finally m' = S''^ /U' . If H{.) is a convenient hash function, in particular, if H{z) = z{z + 1), 
finding m' is infeasible. 

□ 



Variant IL The signature process is the following: 
Public-key: [N,H{.)] 



Signed message: [m, F, i?^], where i? is a secret random number, S is a root of the equation = 
H{m)U, where the padding factor U is chosen asU = (^~~~~^ V'l + ^ H{m.) ^ 
F = RS. 

Verification: Check whether E}'^H{mf = F^"^; the signature is valid if and only if the equality 
holds. 
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The algorithm works because F'^ = R'^H{m)^, given that U"^ = 1. 
For this scheme the verification cost is seven squares and three products, plus the evaluation of a 
hash function. It is possible to make different signatures of the same message by choosing different 
random numbers R. 

Theorems The signature i?^] is weakly non-forgeable. It is weakly forgeable if H{z) = z and 

strongly non-forgeable if H{.) is a convenient hash function, in particular, if H{z) = z{z + 1). 

Proof. Given m', forgery is not possible because, choosing w.l.o.g. F', only a number K such 
that KH{m')^ = F'^"^ can be found, but not a fourth root of it. As above, weak forgeability in case 
of H{z) = z follows from pseudo-homogeneity and strong non-forgeability from the hardness of 
inverting the hash function. 

□ 

Note that using in the signature instead of R^ would expose S"^ and therefore U, which 
would unveil the factorization of N if U is not ±1, but one of the other two roots of unity. 

3.3 Blind Rabin signature 

In principle, a blind Rabin signature is obtained as follows. Let A be the message author and B be 
the signer with public key N: 

1. A wants the message m to be signed by B without disclosing the message itself (or part of 
the message), then he chooses a random number r and submits the disguised message r^m 
to the signer. 

2. The signer B produces the signed message [r^m, n, S], where 5 is a root of = ur'^m, and u 
is a random padding factor, and sends the signed message to A. 

3. A receives the signed blind message [r^m, u, S\ and produces [m, n, the signature for the 
original message. 

This simple mechanism may be subject to forgery and to other kind of attacks, like for example 
the RSA blinding attack, which aims at using the blind signature protocol to decrypt messages 
that were encrypted using the public key of the signer. 

Further, our Proposition |2] shows that the blind signer cannot use a strongly non-forgeable signa- 
ture scheme; nevertheless, the open signed message may be strongly non-forgeable. 

Let H{.)hea hash function used by the message author. Consider the following process: 

Public-key: [N,H{.)] 

Disguised message: r'^H{m), where m is the original message to be signed, and r is a random 
factor chosen by the author. This message is submitted to the blind signer. 

Blindly signed message: [r'^H{m),F, R^], where F = RS, with R a random factor chosen by the 
signer, and S a root of the quadratic equation = r^H{m)u, the padding factor u being 
defined as in Variant II. 
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Signed message: [m,^,^]; 

Verification: Check whether H{m)^ (^) ~ (^)^^' signature is vaUd if and only if the equal- 
ity holds. 

The prime factors of the modulo N are Blum primes, as we are using the scheme of Variant II. The 
verification cost is seven squares and three products, plus the evaluation of a hash function. 
The signature of the original message is strongly non-forgeable, and the blind signature is not 
vulnerable to the RSA blinding attack as proved in the following theorem. 

Theorem 4 The blind signature [r'^H{'m),F,R^], is weakly non-forgeable and is not vulnerable to the 
RSA blinding attack. The open signed message [m, p-, ^] is strongly non-forgeable if H{.) is a convenient 
hash function, in particular, if H{m) = m(m + 1). 

Proof. The blind signature [r'^H{m),F,E?] is weakly forgeable as \t^r'^H{m),tF,R^] for every 
t G but to build a signature for a given message m' involves solving a quadratic equation 
which is unfeasible without knowing the factors of N , as already seen in discussing Variant II. 
The signature is not vulnerable to the RSA blinding attack because a square root of the message 
sent to the signer does not appear in the blind signature, as it is multiplied within F by the random 
factor R which is unknown to both author and attackers. 

The author's signed message is taken as [m, with the blinding factor r masking the random 

number R, for otherwise the signer may recognize the signed message by means of the random 
number R^, thus breaking the anonymity. 

Lastly, the signed message [m, 7^-, ^] is strongly non-forgeable if H{.) is a convenient hash func- 
tion, in particular, if H{m) = m{m + 1), as seen in Theorem|3] 

□ 

4 Conclusions 

In this paper we have presented several Rabin signature schemes and considered their resistances 
to forgery. We have also described blind Rabin signature schemes which are cryptographic primi- 
tives useful in protocols that guarantee the anonymity of the participants. In this kind of contexts, 
it is shown that the proposed schemes can be made resistant to the RSA blinding attack. 
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